Caused by activating async/await.

I can reproduce this locally, and Caitlin's patch at https://codereview.chromium.org/1992093003 prevents the issue from occurring.

ClusterFuzz has detected this issue as fixed in range 36396:36398.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5635481819152384

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: UNKNOWN
Crash Address: 0x000000000000
Crash State:
  v8::internal::Invoke
  v8::internal::Execution::Call
  v8::internal::Execution::TryCall
  
Regressed: V8: r36361:36362
Fixed: V8: r36396:36398

Minimized Testcase (0.18 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94qJv5jFVWM-Hjk26yRc6UuPfOoip3BtpC9to5pmBQwY4gtTVTeX_Ag0bSc72GJgi-h-86lNPpFTJetkjBrh01BdTdIslLt___iVc7eDQM9EX1MOVPZJX4mtZt6z2iYVf3m27ygsFg-gJTaxrDAoFt6iK0hsw
"[4,5,6]",
function() {
      return (async () => { return JSON.stringify([...await arguments]) })();
      }();
function __f_2(n) {
  while (n > 0) {
    gc();
    n--;
  }
}
 __f_2(6);


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4506080641548288

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: UNKNOWN
Crash Address: 0x000000000000
Crash State:
  v8::internal::Invoke
  v8::internal::Execution::Call
  v8::internal::__RT_impl_Runtime_Call
  
Regressed: V8: r36361:36362

Minimized Testcase (0.88 Kb): https://cluster-fuzz.appspot.com/download/AMIfv966BJPgZrwuDSMNuAJps0GysW4_5piLfQn-S8VdE5bVqi8jJPpZ_ObmKTjIB_29elmfonTIM5UOwW416_t8svkUlyQZTUOykc2DfIU2EKoAwnQek1F1hKeGE_nHtAnV1T9wjkd4twU36oyfgvDpwI1rTkXxjA

Filer: ishell

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5705625077547008

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: Stack-overflow
Crash Address: 0x7ffc8198ec08
Crash State:
  NULL@0x...08
Regressed: V8: r36361:36362

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97575hqEQZNU_0uo4brb13OTXkiJxXY26nUoaw5zLcWlzLDDLewalpogI9eeC_Ox9jwT1q_C0l0JqhiVgkUbOREdNMhCYjhXrDSntq08Xug_N3b7S8e7ccS7h6GwB7X_xsvRKNYcISM_CvHF9utySZrdONmuz7wYRqV-ZBtM0Dm1T9y8eE


Filer: ishell

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6267502161559552

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: Stack-overflow
Crash Address: 0x7ffc04949928
Crash State:
  NULL@0x...28
Regressed: V8: r36361:36362

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96SBzm8ff4F2zomYUnQ-53rdJeQPvT1vFnhyFt9JdBMfTM7Rg7Z-FHunCxKORtV9lpwduI_mGuYnhRTUAzTKTV-2ajXzn5BI50Yu-_z7P1Mf4727jkqNajoPCC9jYHgExTGxY-GUnqrd_agQOlyaUxApABXqO6yXOMmzj_t7hD4c8Ud-A0


Filer: ishell

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

It's entirely possible that this is related, as the test case does use async/await features. I'm surprised that this is still happening, as async/await is not part of --es-staging anymore, and I don't see the --harmony-async-await flag being passed.

There are some bug fixes which may address this: https://codereview.chromium.org/1992093003 has already been submitted, and  https://codereview.chromium.org/1996943002 is out for review. I'm not sure whether these builds include the first patch and the unstaging patch.

Unfortunately I'm not sure how much time I'll have to address this bug further this week as I am attending TC39.

Ah, I didn't realize that async/await is already unstaged. All the reports point to the CL where async/await was staged.

OK, there were a bunch of basically duplicate bug reports due to the staging. In my local testing, it seemed like https://codereview.chromium.org/1992093003  addressed it, but I want the other patch to land before turning it back on in staging.

ClusterFuzz has detected this issue as fixed in range 36396:36398.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6267502161559552

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: Stack-overflow
Crash Address: 0x7ffc04949928
Crash State:
  NULL@0x...28
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_d8_ignition_dbg&range=36361:36362
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_d8_ignition_dbg&range=36396:36398

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96SBzm8ff4F2zomYUnQ-53rdJeQPvT1vFnhyFt9JdBMfTM7Rg7Z-FHunCxKORtV9lpwduI_mGuYnhRTUAzTKTV-2ajXzn5BI50Yu-_z7P1Mf4727jkqNajoPCC9jYHgExTGxY-GUnqrd_agQOlyaUxApABXqO6yXOMmzj_t7hD4c8Ud-A0


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 36396:36398.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5705625077547008

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000240
Crash State:
  v8::internal::Invoke
  v8::internal::Execution::Call
  v8::internal::__RT_impl_Runtime_Call
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_d8_ignition_dbg&range=36361:36362
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_d8_ignition_dbg&range=36396:36398

Minimized Testcase (0.26 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97DBmerrOKMTT_tOOGgifydxvrTQ2QmLOztFgiG-y9BBBAJ8sSU4LgvDhFMBd0XqQ9tTLtTA5fPNQZ2uy85EKEwyib3ovODhR7vIulLROPJcn3JZIcWnAXgd63uSnUmvwuRREQF1BubuCyZ3bFqqHJpXPCVfg
try {
__v_19 = [];
} catch(e) {; }
function __f_15(expected, run, msg) {
  var __v_17 = run();
  __v_17.then();
};
function __f_20() {; }
async function __f_22(value) {
  __v_19.push("start:" + value);
  value = await __f_20(value + 1);
}
__f_15(4, () => __f_22());


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4506080641548288

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: UNKNOWN
Crash Address: 0x000000000000
Crash State:
  v8::internal::Invoke
  v8::internal::Execution::Call
  v8::internal::__RT_impl_Runtime_Call
  

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv979je0XrwzXWdTonBZEzpvf8t8kWI3ZyDu4w3foZh2rq-xaO2nXMqg4n7XJvYvsD6nyQPE9ubzFJ-HEitsycqfQ0QA9D8NkxRW0RnmmWK5x6GSCLJJ6ALxoqp_aIAa5owC6xv_dIbdp5Cm_ZV6VGch0N5K79g


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot